Ransomware: The Sleeping Giant at Black Hat

Black Hat 2025 had plenty of shiny new toys and buzzword-heavy sessions, but the real story was hiding in plain sight. No ransomware track. No packed panel on the threat that has cost organizations billions and taken down some of the most secure environments on the planet. The only time it truly took center stage was when Mikko Hyppönen made it impossible to ignore.

For those paying attention, three truths stood out. Agentic AI will accelerate ransomware campaigns to speeds that will overwhelm unprepared defenders. Ransomware is the next stage in the evolution of malware, and it will only become more capable. Modern security stacks, no matter how mature or expensive, are still being bypassed with troubling ease.

Agentic AI Will Accelerate Ransomware

Nicole Perlroth’s keynote on agentic AI should have been a wake-up call for anyone who still thinks of AI as purely a defensive tool. She described systems that, once pointed at a target, can plan, adapt, and execute end-to-end operations without human involvement. They can choose attack paths, adjust to changing defenses in real time, and recover from setbacks automatically.

Put that kind of capability in the hands of ransomware crews, and you get operations that run continuously, adapt mid-strike, and move faster than any human-led security team can respond. This is not just a speed advantage, it is a complete shift in the tempo of the fight, compressing the defender’s response window to seconds.

Ransomware Operations Will Continue to Evolve

Hyppönen’s keynote drove home the second truth. Ransomware has fully evolved into the most dangerous form of financially motivated malware we have ever faced. The Ransomware-as-a-Service model has industrialized the business, giving even low-skill actors access to advanced tooling, infrastructure, and stolen access marketplaces.

Specialization across the ecosystem from initial access brokers to dedicated negotiation teams has made it leaner, faster, and harder to take down. Even when law enforcement gets a win, the result is often a more agile and efficient version of the operation emerging on the other side. Ransomware is not going away, and it is not slowing down.

Modern Security Stacks Are Being Bypassed

The third truth is the one many organizations do not want to face. We are watching high-profile companies with EDR, SIEM, firewalls, and multiple layers of defense still get taken apart by ransomware crews. This is happening before those crews have even fully exploited what agentic AI will make possible.

Perlroth warned that when AI begins orchestrating intrusion chains, adapting TTPs in real time, and removing human lag, the gap between attacker and defender will widen fast. The current success rate of human-driven ransomware campaigns is proof that the traditional stack has a blind spot ransomware operators know exactly how to exploit.

That blind spot is driving the need for a fundamental change in how we confront the threat. Incremental improvements to the same old stack will not be enough in the era of agentic AI.

Closing the Gap

There is a clear need for dedicated anti-ransomware solutions specifically built to detect and disrupt the earliest stages of the ransomware attack chain. That means identifying initial access attempts, privilege escalation, lateral movement, and tampering with controls before the payload is deployed. If we cannot see the attack forming, we cannot stop it.

Closing that gap will require capabilities designed from the ground up to surface ransomware precursors at speed, make automated containment decisions, and give defenders the chance to act before encryption starts. As Hyppönen pointed out, the earlier you catch them in the kill chain, the better your odds. Wait until the payload is deploying, and you are already in the red.

The Giant is Waking

Both Perlroth and Hyppönen landed on the same conclusion: AI is a force multiplier. For attackers, it means scaling operations without scaling headcount. For defenders, it offers the chance to finally keep up, but only if they move now. The old addage is still true: attackers need one successful intrusion to bankroll years of activity. Defenders have to win every single time.

Hyppönen’s parting shot was blunt. What we see now may be nothing compared to what is coming. Just as the spam of the early 2000s looks quaint next to today’s phishing campaigns, the ransomware of 2025 may soon seem primitive once agentic AI is fully in play. AI will accelerate every stage of the operation, from reconnaissance to detonation, shrinking the window to stop it from days or hours to seconds.

Ransomware’s trajectory after Black Hat is unmistakable. Agentic AI will drive it to speeds that will overwhelm unprepared defenders. It has already become the next stage in malware’s evolution, growing more capable with each iteration. Modern security stacks are being bypassed far too often, proving there is a gap the adversary knows how to exploit.

The giant is awake, and every moment we delay gives it more ground. Closing that gap requires purpose-built anti-ransomware capabilities that can detect and disrupt the earliest stages of an attack, respond at machine speed, and stop the operation before the payload ever has a chance to execute.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.